> > In sebek environment, we better disable /dev/{kmem,mem}, together with
> > loading module capability. Then nobody can no longer access to kernel
> > memory, no?
I am not a kernel/honepot hacker, but, would it be possible, to, at
the kernel level, redirect /dev/{mem,kmem} to, for example, a stored
memory dump? That way, when the attacker probes the device file,
he/she sees not the real state of the memory, but a stored state from
when the kernel wasn't honeypotted. Then any changes to the devices
could either be ignored, or written to the stored dump.
That way, the honeypot shouldn't be too obvious - unless the attacker
deliberately does something crashy and finds the box proceeds as
normal.
Just a random idea... I have no idea if that is even possible - never
mind useful.
--
Neuronstorm: neuronstorm.sourceforge.net
The Neuronstorm Blog: leinad-golb.blogspot.com
Received on Oct 06 2005
Intro
